Defect #34367
closedAllowed filename extensions of attachments can be circumvented
0%
Description
In #20008, Redmine introduced the ability to restrict the allowed extensions of attachment filenames.
This check is not exhaustive though, meaning it is easily possible to subvert the restriction. There are two ways how a user can still use any arbitrary filename despite restrictions in place:
- As reported by Bartu Ogur via email to security@redmine.org, it is also possible to update the filename of an uploaded attachment when it is attached to an object. The filename of the original file is checked here only during
attachments#upload
when the attachment is initially created. However, we do allow to overwrite the filename (and content type) of an attachment when it is attached to an object in redmine:source:trunk/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb#L105. - Furthermore, after an attachment was initially added with an allowed extension and was successfully attached to an object, the filename can be edited freely to set any filename, including with a forbidden extension.
For administrators trying to restrict the types of files which can be uploaded, these limitations are not obvious, making the usage of this feature potentially dangerous (also with Redmine relying on the extension to determine the content type in a lot of areas).
To fix the reported issue and to enforce the filename everywhere on change, we could use the attached patch against current trunk. With this patch, each change of the filename will be validated against the list of allowed attachments. This will remove the ability to set a currently forbidden extension to any file, regardless on when it was created.
Files